[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031030015849.6502.qmail@sf-www3-symnsj.securityfocus.com>
Date: 30 Oct 2003 01:58:49 -0000
From: Graham Morley <GMorley_Public@...stclass.com>
To: bugtraq@...urityfocus.com
Subject: Re: FirstClass 7.1 HTTP Server: Remote Directory Listing
In-Reply-To: <fc.00802e600021e6b400802e600021e6b4.21e717@...m.org>
>FirstClass 7.1 HTTP Server allow the listing of all files under the web
>root directory and user web directories.
While this statement is correct, it is not a bug, but rather a misunderstanding/misconfiguration of the FirstClass system by the reporter. The base web folder and user personal web folders are all intended as public data repositories. Anything placed in them is universally accessible by default, unless they are placed in conferences (FirstClass' ACL protected containers) with appropriate permissions set. This is all by design in order to make web publishing as easy as possible for users and new administrators. Note that, in the out of the box configuration, no sensitive information is available in any of these folders.
As stated, private portions of a web site can easily be created by creating FirstClass conferences under the WWW folder (or a user's homepage folder) and setting their permissions (search included) to only allow authenticated users (or subsets thereof) to access the content in them. Alternatively, if the search function is really not desired, it is extremely easy to disable by accessing the "Unauthenticated Users" privilege group (in the "Groups" folder on the administrator's desktop) and turning off the search privilege. However, do not allow the disabling of unauthenticated search functionality to lull you into a false sense of security regarding your data. If you have placed it in a public folder, it remains accessible to anyone who knows how to get at it. The safest thing to do with sensitive information is to not put it in a public place.
>This vulnerability can disclose a huge amount of information about the
>servers setup which will aid attackers in exploiting further holes in the
>server.
This so-called "vulnerability" exposes *no* information about the site that is not already available, since any information turned up in this fashion is already in the public domain. What this really hilights is the poor security policy put in place by the site administrator if they have recklessly placed sensitive information in a public place.
------------------------------------------------------------------------Graham Morley
Developer, Internet Services Team
Open Text Corporation Messaging Division
Please visit our web sites:
- Open Text: www.opentext.com
- Messaging Division: www.firstclass.com
Powered by blists - more mailing lists